Why should users care about privacy, and protecting their data from being collected and sold by third parties?
To put it simply, your digital data trail is the evidence of your human presence online. Your data is valuable, private, and most important, it’s yours. You are the owner of your data. This fact is often missed, accidentally or otherwise, when communicating about ad blocking and tracking protection.
The ad and marketing industries have created an entire business model centered around extracting, collecting, selling and profiling your data with parties unknown to you, and have banked on users forgetting that the data they sell is your data.
Many signals tell a powerful story
Tracking, ad block and https upgrade counts after 1 week casual browsing
When you load a webpage, a series of calls are made to different locations that serve responses supplying parts of the page that you end up seeing as the page loads. Think of these calls as similar to phone calls, with different details of your caller ID passing back to the remote endpoint. The receiver on the other end captures this data, and determines where to route your request to send a response or responses.
An example of calls made over the network connection when loading a webpage.
Each individual call that is made contains fragments of information about you. When those same parties receive thousands of calls as you navigate from site to site, and then share the data from their profile with other parties, the overall combined profile tells a powerful story about who you are and what you do.
Agencies and other 3rd parties in the ad industry have become proficient at passing as many different pieces of data about users as possible in the calls that are sent, and data platform managers have helped third parties share data with each other to build stronger profiles. These “ID sync” arrangements will be covered in more detail in future posts.
Marketers and advertisers will often point out that they use anonymous advertiser IDs, but the reality is that at scale, anonymous IDs are fairly easy to de-anonymize with a few pieces of information. And sometimes they actually sync with your real home-address-and-phone-number identity.
Before we can address the issues with tracking at lower levels, it’s important to focus on how data is collected for profiling from ISPs and data carriers at the highest level.
The FCC & Self-Serving Internet Service Providers (ISPs)
There has been attention on the recent Senate vote to kill a 2016 FCC consumer privacy ruling.
Beyond the political landscape, let’s look at what this 2016 FCC ruling stated:
Consumers have the right to exercise "meaningful and informed control" over the personal data used by a broadband provider.
Consumers deserve to know what information is being collected about them, how it's being used, and under what circumstances it will be shared.
Accurate disclosures of privacy practices must be provided to consumers "in an easily understandable and accessible manner."
Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored; and take responsibility for use and protection of customer information when shared with third parties.
It’s important to keep in mind that this FCC ruling isn’t an outright ban on collecting sensitive user data, it is merely a requirement for ISPs to request user consent for sensitive data collection.
Tom Wheeler, Chairman of the FCC at the time of the ruling, made the following statement:
“There is a basic truth: It is the consumer’s information… ...It is not the information of the network the consumer hires to deliver that information. The consumer has the right to make a decision about how her or his information is used.”
The ad and marketing lobby did not like the ruling:
Association of National Advertisers:
“The FCC’s new sweeping privacy rules decision is unprecedented, misguided, counterproductive, and potentially extremely harmful… ...ANA is committed to seeing these rules undone, either by court challenges or action on Capitol Hill to reverse this extreme overreach by the agency.”
Let that sink in. The Association of National Advertisers has publicly declared that obtaining opt-in human consent for sensitive data collection is potentially extremely harmful.
Data & Marketing Association (formerly the Direct Marketing Association):
“The FCC’s decision is bad for consumers and bad for the U.S. economy... ...FCC’s action ignores what’s working and working well, and supplants it with a burdensome system that will stifle innovation and make it harder to deliver advertising messages that are relevant and useful to consumers.”
This implies that non-consensual sensitive data collection has been easy, and had been working well until the 2016 ruling. Requiring consent is now being labeled as burdensome because it gets in the way of delivering advertising that is relevant for the very people who are denied consent. It’s difficult to imagine ad targeting as more relevant than human consent.
Digital Advertising Alliance:
“By rejecting the industry’s accepted definition of sensitive information, the FCC chose patchwork and inconsistent standards over common sense… ...General web browsing or application use information is clearly not as sensitive as financial or health information, yet this rule treats them the same.”
Except that FCC clearly stated that at the ISP level, this is not the case:
"Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."
Additionally, thanks to the ad tracking complex, studies have established that humans often search for information related to personal their health and financial conditions. This information is used to target ads to those people, based on their personal circumstances.
Flash forward to 2017, the FCC ruling above has been voted down in the US Senate. Ajit Pai has replaced Tom Wheeler as Chairman of the FCC, with a much different outlook on consumer privacy than his predecessor. Ajit Pai has even gone so far as to call Net Neutrality a mistake. These leadership changes are even more of a reason not to rely on regulators to protect your data and privacy for you.
Mobile, Telecom & Ad Tech
ISPs aren’t the only connection point to be co-opted by the ad and and tracking complex. Mobile telecom service providers have a track record of privacy invasion without user consent.
March, 2016: Verizon was ordered by the FCC to pay a $1.35 million fine for setting Supercookies on user devices without consent, and selling the private data collected to a third party, Turn, Inc. for targeted advertising. Verizon didn’t lose in court, they paid a fine of $1.35 million as part of a settlement for an FCC probe into the practice. To put that fine for privacy violation at scale into perspective, Verizon’s 2015 Financial Highlights reveal that the company had $131.6 billion in consolidated revenue for 2015.
Such fines are a trivial “cost of doing business”.
The lack of teeth in the court-ordered settlements by regulators becomes evident when compared against Verizon’s acquisitions of Yahoo! For $4.83 billion, with plans to merge with AOL, which Verizon acquired for $4.4 billion in 2015.
A 2016 emarketer.com interview with Matt Keiser from LiveIntent provides a troubling look at how Verizon’s acquisitions will likely play out, along with some additional insights into what to expect from telecoms and ad tech in the year ahead.
Some key takeaways:
Keiser: Verizon is one of few companies that's well-positioned to take advantage of all of Yahoo's assets. They have the scale and intake management to leverage them. What they'll end up with is a data set for Verizon, a data set from AOL —which they've been working on integrating—and now there will be a valuable data set from Yahoo as well.
The advantage is that data can't be moved from telecom companies to internet service providers without opt-in consent. However, data can be moved the other way. In other words, behavioral data on what consumers do on AOL can be passed back to Verizon.
Verizon is getting into uncharted territory. Verizon, AOL and Yahoo have an incredible amount of deterministic and behavioral data between them. People-based advertising works for Facebook and Google, but everyone is starting to realize that they need data to craft identities and transition advertising from a desktop world to a mobile-first world.
There are all these marketing clouds from Oracle, Salesforce, Adobe and IBM. They're all trying to build identity graphs to capture consumers' identities across multiple devices. Mobile is the hardest data to collect, because traditional cookies don't work in mobile… ...But telecom companies have mobile data. Even though desktop is the cash cow today, it's pretty obvious the future is in mobile. That's why telecom providers are finding ways to take advantage of their data from an advertising and marketing standpoint...
Why would a carrier like Verizon opt to receive consent to collect your private data, when that carrier can acquire another company that captures your data, and pass it back to themselves? Not only did Verizon buy their way out of the problem, they ultimately found a better way to scale their data collection.
It’s not just the companies you know.
ISPs and telecoms are just two examples of your privacy being owned by default from the highest level, the connection itself. We haven't even gotten into what's actually being being collected, shared, sold, or how methods intended to empower and protect your control over these services are ultimately a farce.
For every major company violating user privacy that you may have heard of, there are several that you’ve likely never heard of. They each game the system in one way or another, because the system itself is essentially a loose confederation of businesses, associations and initiatives with no real regulatory body to enforce or keep up with standard practices.
Know this: Ads on the web are no longer ads, they are surveillance masquerading as ads. The data collected from calls made to request ads can often be more valuable than whether or not the ad served is actually seen by the user (the “viewability crisis” will be a topic of a future blog post).
A Better Web rejects privacy invasion, data collection and sharing with third parties by default.
OK, so what can be reasonably done about this?
The Brave browser offers several features to help safeguard users from some of this collection.
While others may bucket some third party ads (with tracking, which is discounted) as “acceptable”, the reality is that the strongest methods to deter this collection are to:
Brave offers the HTTPSe (HTTPSeverywhere) feature, which upgrades insecure
http:// connections to
https:// whenever possible. This helps to encrypt the communication transported over the network.
Block ads and third party tracking
Brave offers ad blocking and tracking protection by default. Blocking prevents your data from being passed into the request that goes to third parties.
Avoid using Flash when possible
Brave has Flash available for users who want to install and opt-in, but does not come with Flash installed or enabled by default. Flash provides the equivalent of a black box for tracking, and other methods that are used for profiling users.
Of course, the methods above aren’t foolproof, and there will always be cases where a determined adversary can work hard to fight these methods. That said, the measures above help to make the data more difficult to exploit your data, and help to avoid feeding the ad and tracking complex more of your data than you are comfortable with.
So, who am I to make such claims?
Until joining Brave full time in December 2016, I’d spent the past 5+ years working in client services for OAO, specializing in digital ad operations. ad product integration, incident response and support services for the NFL, PGA Tour, Warner Brothers, Tribune Media, NBCUniversal, Comcast and several other major media publishers. I’ve had a unique vantage and experience in the digital ad industry, having been right in the middle of the evolution from semi-harmless campaign tracking to what I can now only describe as near-total consumer surveillance.
Consumer surveillance is not an overstatement, it’s the result of the extremes to which the industry has taken user data collection and profiling. The practices have become such a threat to your privacy and the open web that I made a choice to change course in my career and join Brave to help expose the degree to which the industry has taken these extremes, and work with the team toward building a Better Web.